Understanding Information Management & Protection
Two mistakes are often made when considering how to make a small or medium-sized business (SMB) cyber secure. The first is thinking that threat actors are only interested in big fish or that your business is small enough to somehow fly under the cybercriminal radar. With a few state-sponsored exceptions, cybercriminals tend to be lazy and understand that the most accessible targets return the quickest profits. And talking of easier targets, your business may not be the ultimate prize that an attacker is looking at. Instead, you may just be a stepping stone towards it, the point of access in a supply chain exploit on route to a high-value payload.
The second mistake is in understanding what cybersecurity is. The Oxford Languages dictionary definition of “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this,” is literal. However, the US Cybersecurity & Infrastructure Agency (CISA) hits the nail on the head when it comes to practicality: “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”
Cybersecurity involves guarding against those negative impacts to both the ‘information’ and ‘technology’ of IT. This means preventing unauthorized access to company or customer data, trade secrets and transactional data, for example, and ensuring all information that can be used by those bad actors to aid attacks on the very technologies being protected is not available to them. When we talk about information, it’s essential to understand the breadth and depth of the term as it relates to threat actor interest. Information can include IP addresses, network drawings and even patch management schedules and response plans, all of which can be used by attackers to increase the effectiveness of an exploit.
Perhaps the best example of how both information and technology combine within the remit of any management and protection plan is the ever-evolving nature of the ransomware business. This started as simply a matter of using vulnerabilities or social engineering methodologies to get access to your network and lock it down, with data encrypted until a ransom was paid to release a decryption key. Now, more often than not, the attackers will also steal the data before encrypting it to use as leverage in payment demands. Backups alone won’t protect your data; patch management, vulnerability testing and security awareness training are all required.
This is where the concept of information management and protection comes into play. Here are three steps that SMBs should consider in understanding its vital role in protecting the organization.
- Assess, model and plan
You can’t adequately protect against threats unless you know what it is you have and how it might be compromised. An information security management framework, a set of policies and controls to manage risk across your business, starts with knowing what you have, where it is and its value to the organization and would-be attackers alike. Asset visibility is critical; audit networks, software and processes to determine both the data stored and connected to. Threat modelling is equally important to address the ever-changing attack surface by identifying vulnerabilities, prioritizing the risk they pose and determining mitigations. Those mitigations may come through vulnerability and patch management programs, device and data access controls, encryption and even physical security measures. The process of compiling such a framework requires analysis of how your business handles, uses and protects data; it demands a holistic understanding of security risk.
- Remediation, response and recovery
Good management is all about proper planning, and that includes when it comes to risk remediation, incident response and recovery. It’s easy but wrong to think of risk remediation as being all about network security tools to detect and mitigate attacks. Of course, those are an important part of any information management and protection policy, but they should also include incident response planning and testing. Remember, there is no such thing as 100% secure; attackers will and do get through your defenses. How you deal with it when they do will determine how badly your business is interrupted and what losses, if any, are suffered. Information protection, therefore, must include ensuring data remains available in the event of an incident. An incident that may not even be cybersecurity-related but down to machine failure or human error. SMBs should document a comprehensive program that identifies important information and establishes a process that can be followed to back that data up on a recurring, consistent basis regardless of personnel tasked with performing the procedure. This means investing in the right tools or services to assist with making the backup process more sustainable, consistent, reliable and repeatable.
- Empower employees
Perhaps the most overlooked components of any information management and protection implementation are the people responsible for making it work. Everyone from the shop floor to the top floor must play a part in the process if it is to be successful. A comprehensive education and training program can reduce the risk of social engineering, poor password hygiene and the like. However, understanding the human factor goes beyond these headline topics and must be included at every stage of your security planning and implementation. What use is the most complete security policy if it’s unclear what employees need to report or, indeed, who and how to report it? Training cannot be thought of as a one-off induction process either. It must be ongoing and integrated; it has to become part of the business culture if a culture of secure thinking is to emerge.
If you are a small business reading this, you probably think that this sounds like an awful lot of work to take on. It is, especially when you are not afforded the luxury of an in-house security team to cover all the information management and protection bases. Skilled cybersecurity specialists do not come cheap and are in high-demand, meaning even the largest enterprises with matching budgets can find it hard to recruit sufficient personnel. Yet, the inconvenient truth remains that without proper cybersecurity planning and implementation, SMBs become more vulnerable to attack and less likely to know they have been. Outsourcing to a specialist that has already made the necessary investments will cost a lot less, and reduce your risk exposure, than taking a do it yourself approach if both finances and experience are in short supply.
ITEGRITI Guest Author: Davey Winder is a freelance technology journalist and a senior contributor to Forbes, as well as being contributing editor at PC Pro magazine since the first issue back in 1994. Davey was named ‘Cyber Writer’ of the year in the 2020 Security Serious Unsung Heroes awards.
This SMB Guide is part of a series to assist small and medium-sized businesses with their cybersecurity needs. You can read others in the series here:
- Cybersecurity Guide: The Role of a CISO
- Cybersecurity Guide: Security Awareness & Training
- Cybersecurity Guide: Asset Inventory
- Cybersecurity Guide: Asset Baselines, Hardening and Change Management
- Cybersecurity Guide: Vulnerability Management
- Cybersecurity Guide: Access & Account Management
- Cybersecurity Guide: Supply Chain Management/Third Party Vendors
- Cybersecurity Guide: Incident Management & Review
- Cybersecurity Guide: Information Management & Protection
- Cybersecurity Guide: Boundary Defense, Electronic & Physical Security